Business litigation over data breach reinstated by 9th Circuit

Data breach cases involving retail companies are becoming common in Oregon and other states. Usually, these business litigation claims are class actions filed to obtain redress for thousands if not millions of consumers. The claims usually center around the theft of the victims' personal information, including addresses, passwords and credit or debit card details, stored on a company's online servers.

The U.S. Court of Appeals for the 9th Circuit recently reinstated a class-action lawsuit against Zappos that had been dismissed by the federal district court. The case arises from an incident in 2012 when hackers accessed the Zappos servers and took the information pertaining to 24 million customers. The lawsuit filed on behalf of the victims was dismissed due to the district court's opinion that not all of the plaintiffs could establish proof of an actual injury that was traceable.

The Court of Appeals held that all of the customers could pursue their litigation against the defendant company. The Court held that the plaintiffs had sufficiently alleged a factual injury. The Court reasoned that it was sufficient to allege that there was a "substantial risk" that the hackers would commit identify fraud with the stolen information. The Court also held that the relevant time for determining standing was the date of filing the complaint, and not as of the present.

The Court rejected the lower court finding that any alleged harm was not traceable to the perpetrators' conduct. It also explained that the class action business litigation case was capable of providing relief to the victimized plaintiffs. The holding is a clear victory for consumers who may suffer a range of damages when their personal data is stolen from a retail establishment's online data bank. The case applies to Oregon and other 9th Circuit states and will likely have the impact of liberalizing the filing qualifications of similar claims going forward.